Listbox wrote: > Thanks Rich! > > I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks > like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It > does not have any entries for uid=admin ( or uid=%as_uid% ). > Right. That's the file that is used for just the fedora-ds-base package - the admin server and console stuff are "add-ons". > I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may be > useful as a model to make more of the correct acis. Is this a good idea? Yes. > How > much more should I modify it? > You have to replace the %token% items: ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or cn=schema or etc. as_uid - admin or change the entire DN uid=%as_uid%,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use for an administrator. You can just omit the SIE Group ACI Then just feed that file to ldapmodify e.g. ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it in place. > /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl > > # BEGIN COPYRIGHT BLOCK > ... > # END COPYRIGHT BLOCK > dn: %ds_suffix% > changetype: modify > add: aci > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; > allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, > ou=TopologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow > (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > > > Thanks again! > > ************************************************ > ************************************************ > ************************************************ > for bind in config schema monitor ; do ldapsearch -x -D "cn=directory > manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done > # extended LDIF > # > # LDAPv3 > # base <cn=config> with scope subtree > # filter: aci=* > # requesting: aci > # > > # config > dn: cn=config > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; > a > llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, > ou=To > pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow > (a > ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, > o=Ne > tscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "l > dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, > cn=trix > ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version > 3.0;acl > "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( > read > , search, compare, proxy ) userdn = "ldap:///all";;) > > # search result > search: 2 > result: 0 Success > > # numResponses: 4 > # numEntries: 3 > # extended LDIF > # > # LDAPv3 > # base <cn=schema> with scope subtree > # filter: aci=* > # requesting: aci > # > > # schema > dn: cn=schema > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl > "anonymo > us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; > a > llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, > ou=To > pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow > (a > ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, > o=Net > scapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "l > dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, > cn=trix > ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > # extended LDIF > # > # LDAPv3 > # base <cn=monitor> with scope subtree > # filter: aci=* > # requesting: aci > # > > # monitor > dn: cn=monitor > aci: (target ="ldap:///cn=monitor*";)(targetattr != "aci || > connection")(versio > n 3.0; acl "monitor"; allow( read, search, compare ) userdn = > "ldap:///anyone > ";) > > # search result > search: 2 > result: 0 Success > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080123/0396fbf4/attachment.bin
